When business leaders suspect a possible data breach, they must immediately bring together a strong and able team to respond. This team often includes a collection of experts with whom executives are closely aligned—attorneys and a PR firm among them—and one party executives are less familiar with: an external incident response team.
I’m going to try to demystify incident responders. Following are the five questions I’m most frequently asked by businesses when they first call me, and my responses. I’ve laid them out in black and white to explain the basics of how incident responders work. My hope is that this information will help you be better prepared and informed for the future.
Question 1: What does an incident response team do?
An incident response team, often abbreviated IR team, is also commonly referred to by legal counsel as “forensic specialists”. (In information technology communities, forensics and incident response have distinctly different meanings, but in this instance, it’s simply a case of two industries with different lingo.)
The IR team are akin to detectives: They look for evidence to understand how attackers got into a victim’s environment, what the attackers did, how they did it, where they went, what they took, all while maintaining chain of custody on the evidence to support any subsequent litigation.
In all cases, an incident response team should be an extension of your own internal team. They should work together with you, in your best interest, to investigate an attacker’s activities and to answer key stakeholder questions.
Question 2: When should organizations hire IR teams?
The answer to this question is often complicated by cyber insurance and legal considerations. But my best advice is to retain an IR team before a crisis strikes. If you’re researching service providers and ironing out contracts while a breach is ongoing, attackers have more time to do damage, and there are more opportunities to inadvertently delete or damage critical evidence by, for example, rolling-off of log files. Your best bet is to be prepared for an incident before it happens. If you suspect you’ve already been breached and haven’t been proactive, hire an IR team as quickly as possible.
Question 3: How do IR teams work with their clients during a breach investigation?
There are four primary phases to the work an IR team does with a client during a suspected attack: Engagement, Investigation, Containment, and Remediation.
Engagement: When a company calls an IR team for help with a possible breach, the IR team leader will ask questions to better understand the problem, the evidence that exists, the company’s own ability to respond internally, and what resources and/or skill-sets are likely needed to form the response team. Additional factors discussed may include: the contractual agreement, logistics of working on-site vs. performing remote analysis, initial requests for evidence review, communication mechanisms, and frequency.
Investigation: Phase two typically begins with evidence gathering, commonly referred to as “collection” or “preservation”. Next, analysts move into “triage”, the preliminary analysis of initial evidence collected. Triage strives to answer basic questions such as: What kind of attack is suspected, and how sophisticated is it? In many ways, triage is a technical validation of the assumptions discussed in stage one. Once completed, IR team members then determine where further analysis is required, commonly referred to as a “Deep Dive.” These efforts aim to answer the questions on everyone’s mind: how did the attacker get in and what did the attacker do while inside, e.g., was sensitive information accessed, and how much of it was taken from the environment?
Containment: The goal of this phase is to stop the current compromise and kick the attacker out of the environment. Containment typically runs in parallel with the investigation, with recommendations made ongoing as soon as enough evidence is drawn from the investigation.
Remediation: Once analysis is complete, the IR team provides recommendations for cleaning up the incident and defending against a similarly waged attack in the future.
Question 4: What information sources do IR teams need from clients?
IR teams will require a number of relevant data sources during an investigation. Depending on the type of compromise, evidence source could include: firewall logs, web proxy logs, domain controller logs/image(s), VPN logs, Antivirus logs, Malware sample(s)/binaries, IDS/IPS logs, virtual snapshots, affected host logs/image(s), and the list goes on. Importantly, IR teams focus on chain of custody and defensibility of evidence collection so that litigation needs and regulatory inquiries are adequately addressed.
Question 5: How do IR teams find evidence of compromise?
There are several techniques IR teams can use to identify evidence of attacker activity, also called indicators of compromise (IOCs). IR analysts work to identify these IOCs and use them to follow the attacker’s trail, moving from system to system within the environment. This information is then aggregated from various sources to compile the ‘story’ of the compromise.
Analysis techniques can include: Host-based forensics (analysis of assets such as: servers, desktops, and laptops), network forensics (analysis of evidence sources such as: firewalls, IDS/IPS, and web proxies), memory forensics (analysis of a computer’s memory dump), malware analysis/reverse engineering (analysis of programs used by the attacker to derive intelligence around programming and/or functionality of malicious code), application of actionable threat intelligence (characteristics or knowledge of a known or emerging threat actor), and/or leverage of custom/proprietary tools (technology/products).
There are pros and cons to the analysis techniques summarized above, which are important to understand in various situations. Decisions regarding analysis vary based on multiple factors, including: cost, time requirements, legal implications, subject matter resource/skill-sets of analysts, the volatility of the data source (i.e. logs are typically collected before images since they tend to roll over), and evidence availability.
As you can see, there is a lot to talk about at the start of a relationship with your IR team; these conversations are best if they’re had in advance of a suspected attack. Think about hiring IR help before a breach so you can approach the process with peace of mind and have time to learn the ins and outs of the relationship when you’re not in crisis mode. Then on the day you need your IR team, you’ll be relieved to have them on speed dial. If there’s one thing I always tell prospective clients, be proactive. Build your team before becoming a victim.